Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] adhoc group memberships, what to do when IDM Roles change

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] adhoc group memberships, what to do when IDM Roles change


Chronological Thread 
  • From: Jim Fox <>
  • To: Chris Hyzer <>
  • Cc: Steven Carmody <>, Grouper-Users <>
  • Subject: RE: [grouper-users] adhoc group memberships, what to do when IDM Roles change
  • Date: Fri, 8 May 2015 09:10:48 -0700 (PDT)


It is common at UWash for people to put rules on their groups that members must also be members of the employee group. Some people mught use finer filters, but 'employee' is by far the most popular.

Jim


On Fri, 8 May 2015, Chris Hyzer wrote:

Date: Fri, 8 May 2015 08:39:27
From: Chris Hyzer
<>
To: Steven Carmody
<>,
Grouper-Users
<>
Subject: RE: [grouper-users] adhoc group memberships,
what to do when IDM Roles change

We have a few options at Penn:

1. Intersect the employee group for auto-removal
2. Rule on employee group for auto-removal or auto-end date in the near future
3. Rule on org list so if removed from org due to leaving Penn or switching
orgs:
- remove from group
- -or- send email so someone can review
4. There is a deprovisioning process where one step is for a Group
administrator to review memberships/privs and remove all but ones that are
needed

I could imagine a Grouper rule like #3 above where if someone changes orgs or
is removed from all orgs that it determines groups which aren't exempt from
the process which have the person as an ad hoc member, puts an end-date on
membership (few days?) and emails the UPDATERS/ADMINS of the group letting
them know they can remove the end date if they like...

Chris

-----Original Message-----
From:


[mailto:]
On Behalf Of Steven Carmody
Sent: Friday, May 08, 2015 9:41 AM
To: Grouper-Users
Subject: [grouper-users] adhoc group memberships, what to do when IDM Roles
change

Hi,

We've delegated to Depts the authority to create and manage adhoc groups
to meet their local needs. We're now trying to figure what to do when a
"significant" change occurs in a person's relationships with Brown, and
their Roles. Examples could include a staff person moving to a new job
in a different dept, or a student becoming an alum (we now support
lifetime accounts for students/alumns).

We also allow people to authenticate for 18 months after separating from
Brown, but remove all of the privileges that we know about (except being
able to login to the HR/payroll system in order to obtain a W-2). "Doing
something" about adhoc group memberships would be part of removing
privileges.

Our current best thought (which isn't really very good) is to have the
IDM/Person Registry/Provisioning Rules "tell" a process what change has
occurred. That process would obtain all the adhoc groups that this
person is a member of, and send an email to the owners of each group and
the person saying that unless a certain action is taken by a certain
date the person will be removed from the group (default is to remove).
(Note -- people have a number of group memberships based on their
affiliation and role; as their status in the relevant Business system is
updated these memberships will be changed automatically; I'm only
worried about adhoc memberships.)

We expect that other schools are already starting to encounter this
problem, tho, and we're interested in hearing how other campuses are
approaching this situation.

thanks in advance !




Archive powered by MHonArc 2.6.16.

Top of Page